Azure vpn basic tier. Forced tunneling

Question

Azure vpn basic tier. Forced tunneling

MagnusWestMadsen 25

Hello.

Is it at all possible to setup forced tunneling for a P2S on a Basic tier vpn gateway.

We have an Azure environment that we need to route our traffic through when using out point to site.

GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-08-14T09:05:34.62+00:00

@Anonymous , Just checking in to see if you had a chance to see the below answer. To help the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer.

And, if you have any further questions do let us know.
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-08-18T10:51:38.5666667+00:00

@Anonymous , Just checking in to see if you had a chance to see the below answer. To help the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer.

And, if you have any further questions do let us know.

Accepted answer

0 additional answers

Your answer

GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-08-14T09:05:34.62+00:00

@Anonymous , Just checking in to see if you had a chance to see the below answer. To help the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer.

And, if you have any further questions do let us know.
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-08-18T10:51:38.5666667+00:00

@Anonymous , Just checking in to see if you had a chance to see the below answer. To help the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer.

And, if you have any further questions do let us know.

Answer 1

Hello @Anonymous ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you would like to know if it is possible to setup forced tunneling for a point to site VPN on a Basic SKU VPN gateway.

Forced tunneling is supported on P2S VPN via custom routes and that forces all traffic from the client to Azure. You can direct all traffic to the VPN tunnel by advertising 0.0.0.0/1 and 128.0.0.0/1 as custom routes to the clients. Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes#forced-tunneling

Basic SKU Route based VPN gateway supports P2S connection only via Azure Certification authentication method and you may be able to add advertise 0.0.0.0/1 and 128.0.0.0/1 as custom routes to the clients.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-skus-legacy#config

But please note that:

Internet connectivity is not provided through the VPN gateway. As a result, all traffic bound for the Internet is dropped.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes#forced-tunneling

So, your local/remote machine will not be able to access Internet once you configure this forced tunneling on P2S.

Hence, you need to introduce another resource such as Azure Firewall or a NVA (Network Virtual Appliance) which can take care of the Internet connectivity.

But there is another limitation on the traditional VPN gateway (when I say traditional VPN gateway, I mean a VPN gateway without vWAN solution, which is deployed directly into a Vnet) as below:

Traditional VPN gateways do not have the EnableInternetSecurity flag option. This flag is needed and must be set to true for your clients to be properly configured for forced-tunneling/accessing Internet via the VPN gateway.

Refer: https://learn.microsoft.com/en-us/powershell/module/az.network/set-azvirtualnetworkgateway?view=azps-10.1.0

However, the P2S VPN gateway under Virtual Hub has this option.

Refer: https://learn.microsoft.com/en-us/powershell/module/az.network/update-azp2svpngateway?view=azps-10.1.0

So, in order to reach the Internet via Azure P2S VPN gateway, you need to deploy a secured virtual hub with Azure firewall manager and add the P2S VPN Gateway to allow your egress traffic that will be controlled by a firewall policy.

Refer: https://learn.microsoft.com/en-us/azure/firewall-manager/secure-cloud-network

When you secure internet traffic via Azure Firewall (Firewall Manager), you can advertise the 0.0.0.0/0 route or any custom route to your VPN clients. This makes your clients send the internet bound traffic to Azure for inspection. Then, firewall SNATs the packet to the PIP of Azure Firewall for egress to Internet.

To do this, you need to setup an Azure Firewall & then configure a Policy to allow P2S traffic to Internet.

You can also use a NVA instead of Azure Firewall as per your requirement.

To advertise custom route to your VPN clients, refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes

You can also add the route directly in your downloaded azurevpnconfig.xml file as below:

<clientconfig>
 <includeroutes>
     <route>
         <destination>1.2.3.4</destination><mask>32</mask>
     </route>
 </includeroutes>
</clientconfig>

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/azure-vpn-client-optional-configurations#add-custom-routes

You can refer the below doc which explains how to configure forced tunneling for Virtual WAN Point-to-site VPN and take inputs on the configuration: https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-forced-tunnel

Another reference for you: https://learn.microsoft.com/en-us/answers/questions/589858/index.html

Conclusion:

If you want to configure forced tunneling via P2S which will allow you to send all traffic (including Internet-bound traffic) from remote users to Azure, then you need to do it via Virtual WAN Point to Site VPN.

Using the traditional VPN gateway (Basic SKU or any other SKU), this is not possible.

And Virtual WAN Point-to-site VPN gateway is differentiated using scale units and not SKU.

Refer: https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-faq#for-user-vpn-point-to-site--how-many-clients-are-supported

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

MagnusWestMadsen 25 Reputation points

2023-08-07T09:32:01.0533333+00:00

Thank you vary much for the thorough explanation, it was vary enlightening, as searching for this specific information has been a jungle to get through on my own.

I just want to ask for some clarification on one thing as i am not sure what makes it a technical limitation.

I have a basic tier VPNGW and an Azure Firewall(basic) i have set the custom routes on my P2S VPN client to (0.0.0.0/1, 128.0.0.0/1) to force traffic to my azure environment. now as you mentioned that it needs to go through a firewall for SNAT, could i not just funnel traffic to the firewall via a route table.

Or is this what the lack of "EnableInternetSecurity" flag prevents. I am unsure what this flag exactly does, i have not been able to find information about it.

Thank you in advance for your help
MagnusWestMadsen 25 Reputation points

2023-08-07T09:41:03.4566667+00:00

EDIT: Duplicate comment deleted, first one didnt apear for me to begin with.
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-08-08T03:19:18.4066667+00:00

Hello @Anonymous ,

In case of a normal Vnet with Azure Firewall, all your VPN gateway traffic should be forwarded to the Firewall, but this is not possible because user-defined routes with a 0.0.0.0/0 destination on the GatewaySubnet are not supported. And as mentioned before, Internet connectivity is not provided through the VPN gateway. As a result, all traffic bound for the Internet is dropped.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes#forced-tunneling

EnableInternetSecurity flag is responsible for enabling this 0.0.0.0/0 custom route which is not possible to add manually to a GatewaySubnet due to the above limitation.

Hence, as of today, Virtual WAN Point to Site VPN is the only way to setup forced tunneling with Internet access.

Regards, Gita

Share via

Azure vpn basic tier. Forced tunneling

0 additional answers

Your answer